Analysis
-
max time kernel
114s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
19-05-2024 01:52
General
-
Target
4bceefbe345b452abeb46ece84d2ed50_NeikiAnalytics.dll
-
Size
120KB
-
MD5
4bceefbe345b452abeb46ece84d2ed50
-
SHA1
c77be676463a84a7350f0a43f3117e79562efa16
-
SHA256
93fe6d0e6779b13610e5106a44faa5f7089232d5ef85926bf9a0eb8a6e774a5d
-
SHA512
d0f877869d769d866750b6b05165c7c63b5043b0830591c634a4b9577edd323d10bd24a23766d80884dfa7b490721d59240b929b7d54d726dab53afb57e9f392
-
SSDEEP
1536:LKlY9zzPhfAkgf1nF8BleBXWX8TtKjf1ZIh8O8uOyVh8Y2Cdv4TVEKLx3yScvxv/:mizPGnF8BuEk3Y/CdyFncvRu3
Score
10/10
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
UPX packed file 29 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 9 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4bceefbe345b452abeb46ece84d2ed50_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4bceefbe345b452abeb46ece84d2ed50_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e574d55.exeC:\Users\Admin\AppData\Local\Temp\e574d55.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e574f1a.exeC:\Users\Admin\AppData\Local\Temp\e574f1a.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e578b0a.exeC:\Users\Admin\AppData\Local\Temp\e578b0a.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e574d55.exeFilesize
97KB
MD5fec4f783bd68280cc60aedb74e1a4481
SHA105a05fc98323e28d5bb5a2a194a05698911faaea
SHA256d2927b19d9a11f5998311d9a6a98c169dbed017cc197b5180f1cb6de99c2a526
SHA512f582543b4a3151b352e2f4fe300b69db0dd1329f5cf87e512edb8a6178cedb6cc85700eb29043bfe0c5d7673d177ca07513b73a5c1f2238c76162b8c523e3b72
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5b1584fa14735d1475e9223cf8aac515f
SHA111d619c157ef08f43df973f58c144eceecf49168
SHA256b036ae8e30b22eb90a0392750e4a09dbe5d284006e6f52eb75c7e76ab45226dd
SHA512a347a34293344e1a7e6e59abac6fd48b43c17ca14cb2ce97bd08abf29b89a50ed836df1ef9281c4addfe6fc016637a8828ac27b1a7ff0fbc303b4c15b0626d19
-
memory/1792-15-0x0000000003DD0000-0x0000000003DD1000-memory.dmpFilesize
4KB
-
memory/1792-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/1792-51-0x0000000003D40000-0x0000000003D42000-memory.dmpFilesize
8KB
-
memory/1792-13-0x0000000003D40000-0x0000000003D42000-memory.dmpFilesize
8KB
-
memory/1792-14-0x0000000003D40000-0x0000000003D42000-memory.dmpFilesize
8KB
-
memory/1792-29-0x0000000003D40000-0x0000000003D42000-memory.dmpFilesize
8KB
-
memory/2008-76-0x00000000004D0000-0x00000000004D2000-memory.dmpFilesize
8KB
-
memory/2008-45-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/2008-25-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/2008-31-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/2008-11-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/2008-28-0x00000000004D0000-0x00000000004D2000-memory.dmpFilesize
8KB
-
memory/2008-26-0x00000000004D0000-0x00000000004D2000-memory.dmpFilesize
8KB
-
memory/2008-10-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/2008-12-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/2008-6-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/2008-33-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/2008-32-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/2008-34-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/2008-35-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/2008-36-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/2008-4-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2008-67-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/2008-37-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/2008-85-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2008-43-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/2008-42-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/2008-17-0x00000000005C0000-0x00000000005C1000-memory.dmpFilesize
4KB
-
memory/2008-46-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/2008-9-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/2008-55-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/2008-61-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/2008-62-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/2008-64-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/2008-8-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/4588-41-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4588-39-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/4588-89-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4588-40-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/5004-103-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/5004-92-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/5004-94-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/5004-111-0x0000000000680000-0x0000000000682000-memory.dmpFilesize
8KB
-
memory/5004-110-0x0000000000690000-0x0000000000691000-memory.dmpFilesize
4KB
-
memory/5004-90-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/5004-93-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/5004-140-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/5004-141-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB